CVE-2025-11141— Ruijie NBR2100G-E 操作系统命令注入漏洞

Ruijie NBR2100G-E branch_passw.php listAction os command injection

A security flaw has been discovered in Ruijie NBR2100G-E up to 20250919. Affected by this issue is the function listAction of the file /itbox_pi/branch_passw.php?a=list. Performing manipulation of the argument city results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Ruijie NBR2100G-E 操作系统命令注入漏洞

Ruijie NBR2100G-E是中国锐捷（Ruijie）公司的一个网关路由设备。 Ruijie NBR2100G-E 20250919及之前版本存在操作系统命令注入漏洞，该漏洞源于对文件/itbox_pi/branch_passw.php中参数city的错误操作，可能导致远程os命令注入。

N/A

N/A